On Wed, Oct 13, 2021 at 05:02:22PM +0200, Florian Eckert wrote: > Until now, this feature was switched on via the kernel configuration > option KERNEL_SECCOMP. > > The follwing change a7f794cd2aa104fdbd4c6e38f9b76373bf9b96e1 now requires that > the package procd-seccomp must also enabled for the build. > > However, this is not the case we have no dependency to enable this > package. > Also the imagebuilder cannot build the image, because of the implicit > package selection. > > This change adds a new configuration option CONFIG_SECCOMP like the > CONFIG_SELINUX option. > > If the CONFIG_SECCOMP is selected then the package procd-seccomp and > KERNEL_SECCOMP is enabled for this build. > > Signed-off-by: Florian Eckert <f...@dev.tdt.de> > --- > config/Config-build.in | 11 +++++++++++ > include/target.mk | 2 +- > package/system/procd/Makefile | 3 +-- > 3 files changed, 13 insertions(+), 3 deletions(-) > > diff --git a/config/Config-build.in b/config/Config-build.in > index f0e1aaa695..5887d1a9c4 100644 > --- a/config/Config-build.in > +++ b/config/Config-build.in > @@ -386,4 +386,15 @@ menu "Global build settings" > > endchoice > > + config SECCOMP > + bool "Enable SECCOMP" > + select KERNEL_SECCOMP > + select PACKAGE_procd-seccomp > + depends on (aarch64 || arm || armeb || mips || mipsel || i386 > || powerpc || x86_64) > + depends on !TARGET_uml
I guess 'default y' is needed to also make sure the symbol is selected by default if possible. > + help > + This option enables seccomp kernel features to safely > + execute untrusted bytecode and selects the seccomp-variants > + of procd > + > endmenu > diff --git a/include/target.mk b/include/target.mk > index 03192d3ebe..60760bf602 100644 > --- a/include/target.mk > +++ b/include/target.mk > @@ -39,7 +39,7 @@ DEFAULT_PACKAGES+=procd-ujail > endif > > # include seccomp ld-preload hooks if kernel supports it > -ifneq ($(CONFIG_KERNEL_SECCOMP),) > +ifneq ($(CONFIG_SECCOMP),) > DEFAULT_PACKAGES+=procd-seccomp > endif > > diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile > index 6f506423f8..4c76045062 100644 > --- a/package/system/procd/Makefile > +++ b/package/system/procd/Makefile > @@ -82,8 +82,7 @@ endef > define Package/procd-seccomp > SECTION:=base > CATEGORY:=Base system > - DEPENDS:=@(aarch64||arm||armeb||mips||mipsel||i386||powerpc||x86_64) > @!TARGET_uml \ > - @KERNEL_SECCOMP +libubox +libblobmsg-json > + DEPENDS:=@SECCOMP +libubox +libblobmsg-json > TITLE:=OpenWrt process seccomp helper + utrace > endef > > -- > 2.20.1 > _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
